Y
Yor Suiris
Summary:
System Account keeps creating directory called Pinball. Should I be
concerned?
Details:
I was searching the registry to trace another problem and found entries for
Pinball. I checked and found "Program files\Windows NT\Pinball" I did Not
install Pinball on this machine and there is/was no uninstall options any
where that I could find (i.e. add and remove programs or in Games under
Window Options.
Like I said I NEVER installed it.
So I went with my next standard practice with unknown folders, rename,
reboot and check the logs. Well I could not rename it as I was told it was
in use. So boot to safe mode command prompt only and renamed it. Then
rebooted.
Well I now find a NEW folder named Pinball right next to the one I renamed
and again I can not delete or rename as it is in use. Now this one shows 0
files and 0 size (old one had Pinball.exe and a bunch of images). So I
changed Permissions on the Windows NT directory so only my logon had any
rights to the folder at all.
Boot into Safe Mode delete the current pinball folder and boot up normally
and no Pinball. OK.
But my curiosity was up so I reset auditing and rebooted. I found that it
was the system account.
User: NT AUTHORITY\SYSTEM
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\Program Files\Windows NT\pinball
Handle ID: -
Operation ID: {0,38694}
Process ID: 624
`Image File Name: C:\WINDOWS\SYSTEM32\WINLOGON.EXE
Primary User Name: Machine$
Primary Domain: ThisPlace
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: SYNCHRONIZE
ReadData (or ListDirectory)
Privileges: -
Restricted Sid Count: 0
I have denied the System Account Write access to the directory Windows NT
and reset the rest of the security as it was.. A couple of other things that
may or may not be related (if anyone is still with me).
I am getting errors about a D: drive, I Have No D: drive. I have two hard
drives, labelled C: & E:, D: is the CD Rom and it is empty.
The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of
d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.
Also during this process I found the local Admin account logging off and on.
There are NO services set to use that account. I have since disabled it.
Now am I being paranoid or do I have a problem?
System Account keeps creating directory called Pinball. Should I be
concerned?
Details:
I was searching the registry to trace another problem and found entries for
Pinball. I checked and found "Program files\Windows NT\Pinball" I did Not
install Pinball on this machine and there is/was no uninstall options any
where that I could find (i.e. add and remove programs or in Games under
Window Options.
Like I said I NEVER installed it.
So I went with my next standard practice with unknown folders, rename,
reboot and check the logs. Well I could not rename it as I was told it was
in use. So boot to safe mode command prompt only and renamed it. Then
rebooted.
Well I now find a NEW folder named Pinball right next to the one I renamed
and again I can not delete or rename as it is in use. Now this one shows 0
files and 0 size (old one had Pinball.exe and a bunch of images). So I
changed Permissions on the Windows NT directory so only my logon had any
rights to the folder at all.
Boot into Safe Mode delete the current pinball folder and boot up normally
and no Pinball. OK.
But my curiosity was up so I reset auditing and rebooted. I found that it
was the system account.
User: NT AUTHORITY\SYSTEM
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\Program Files\Windows NT\pinball
Handle ID: -
Operation ID: {0,38694}
Process ID: 624
`Image File Name: C:\WINDOWS\SYSTEM32\WINLOGON.EXE
Primary User Name: Machine$
Primary Domain: ThisPlace
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: SYNCHRONIZE
ReadData (or ListDirectory)
Privileges: -
Restricted Sid Count: 0
I have denied the System Account Write access to the directory Windows NT
and reset the rest of the security as it was.. A couple of other things that
may or may not be related (if anyone is still with me).
I am getting errors about a D: drive, I Have No D: drive. I have two hard
drives, labelled C: & E:, D: is the CD Rom and it is empty.
The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 8007043C from line 44 of
d:\nt\com\com1x\src\events\tier1\eventsystemobj.cpp.
Also during this process I found the local Admin account logging off and on.
There are NO services set to use that account. I have since disabled it.
Now am I being paranoid or do I have a problem?